Key management system

ABSTRACT

In a transmitter, data is encrypted by use of a data key, the data key is encrypted based on a first modification key, and the first modification key is encrypted based on a second modification key such that the first and second modification keys are different keys. The encrypted data, the encrypted data key, and the encrypted first modification key are transmitted to a receiver. In the receiver, the encrypted first modification key, the encrypted data key, and the encrypted data are received from the transmitter. The encrypted first modification key is decrypted based on the second modification key, the encrypted data key is decrypted based on the decrypted first modification key, and the encrypted data is decrypted by use of the decrypted data key.

RELATED APPLICATIONS

This application is a division of U.S. patent application Ser. No.11/137,272, filed on May 25, 2005.

TECHNICAL FIELD OF THE INVENTION

The present invention relates to the encryption and decryption of datatransmitted between a transmitter and a receiver and, more particularly,to the encryption and decryption of both data and the encryption keysused to encrypt the data.

BACKGROUND OF THE INVENTION

There are many systems in which the unauthorized copying of data hasundesired consequences. For example, in pay-per-view systems such asthose offered by hotels, motels, and cable systems, the suppliersoffering pay-per-view programming lose substantial revenues if theirprograms are pirated.

Many tools are commonly available at hardware stores, hobby shops,university laboratories, and are provided by hackers and experts toenable the reverse-engineering of all aspects of data transmissionsystems, including pay-per-view systems. Accordingly, pay-per-viewsuppliers and others interested in copy protection implement variouscopy protection systems in order to prevent unauthorized copying.

Copy protection systems have a number of security goals. For example,copy protection systems are intended to prevent the theft of highquality compressed digital content, to prevent theft of high qualityuncompressed digital content, and to limit losses caused by break-ins.

The copy protection system of the present invention is intended tothwart unauthorized copying of content.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features and advantages will become more apparent from adetailed consideration of the invention when taken in conjunction withthe drawings in which:

FIG. 1 illustrates an encryption encoder of a copy protectiontransmitter according to one embodiment of the present invention;

FIG. 2 illustrates the data encryption block of FIG. 1 in greaterdetail;

FIG. 3 illustrates the dynamic keys block of FIG. 1 in greater detail;

FIG. 4 illustrates the key expansion block of FIG. 3 in greater detail;

FIG. 5 illustrates portions of FIG. 1 in greater detail;

FIG. 6 illustrates the key modifier of FIG. 5 in greater detail;

FIG. 7 illustrates an example modifier message MM used in the copyprotection system of FIG. 1;

FIG. 8 illustrates a control portion of the modifier message MMillustrated in FIG. 7;

FIG. 9 illustrates an example definition of the system control bytes ofthe modifier message MM illustrated in FIG. 8;

FIG. 10 illustrates an example message segment MS used in the copyprotection system of FIG. 1;

FIG. 11 illustrates the program key, modification key, and modifiermessage MM encryption block of FIG. 1 in greater detail;

FIG. 12 illustrates an example key message that is part of the messagesegment MS illustrated in FIG. 10;

FIG. 13 illustrates an example pair of message segments MS used totransmit program keys and modification keys;

FIG. 14 illustrates the timing of the transmitter and receiver withrespect to message generation and use;

FIG. 15 illustrates an example rotation for applying the program keys PKduring encryption of program data;

FIG. 16 illustrates an example of the portions of a program data segmentof a field to which the rotation is applied;

FIG. 17 illustrates a decryption decoder of a copy protection receiveraccording to one embodiment of the present invention;

FIG. 18 illustrates the data decryption block of FIG. 17 in greaterdetail;

FIG. 19 illustrates portions of the decryption decoder of FIG. 17 ingreater detail; and,

FIG. 20 illustrates the key and modifier message decryption block ofFIG. 17 in greater detail.

DETAILED DESCRIPTION

In FIG. 1, an example encryption encoder 8 of a copy protectiontransmitter includes a PID filter 10 that receives an MPEG transportstream and that determines which packets in the MPEG transport streamcontain data to be encrypted. As discussed below, the PID filter 10 alsoidentifies null packets that are to be replaced with message segments MSthat give the receiver sufficient information for decrypting theencrypted program data in the received signal, and the PID filter 10further identifies packets containing information that is not to beencrypted.

A dynamic program key and modification key generator 12 dynamicallygenerates program keys PK that are applied by a first encryption engine14 in order to encrypt the program data in the MPEG transport streamthat has been selected for encryption. The first encryption engine 14,for example, may be a single wrap encryption engine, and may be arrangedto apply the single wrap encryption process specified in the AdvancedEncryption Standard (AES). The encrypted program data packets aresupplied to one input of an output multiplexer 16.

The dynamically generated program keys PK are applied through amultiplexer 24 whereupon they are themselves encrypted by a secondencryption engine 18. The second encryption engine 18 may be a triplewrap encryption engine, and may be arranged to apply the triple wrapencryption process specified in the Advanced Encryption Standard.

Unlike the dynamically generated program keys PK that are used by thefirst encryption engine 14 to encrypt the program data, the keys used bythe second encryption engine 18 to encrypt the dynamically generatedprogram keys PK are message segment keys. Fixed keys are stored in amemory 20, these fixed keys are used by a message segment key generatorand control 22 to generate message segment keys, and the message segmentkeys are supplied to the second encryption engine 18.

The fixed keys stored in the memory 20 are, for example, 128 bits long,and there are, for example, sixty-four fixed keys stored in the memory20. The hash values discussed herein are, for example, sixty-four bitseach and are derived as selected portions of the fixed keys.Alternatively, hash values may be separately stored in the memory 20,and the fixed keys and hash values may be of any desired length andnumber.

Thus, the message segment key generator and control 22 selects the fixedkeys to be used by the second encryption engine 18 from the memory 20,uses them to generate message segment keys, and supplies the messagesegment keys to the second encryption engine 18. The second encryptionengine 18 encrypts the dynamically generated program keys PK based onthe message segment keys from the message segment key generator andcontrol 22.

As discussed below, a modifier message MM and modification keys MK arealso applied through the multiplexer 24 and are encrypted by the secondencryption engine 18. The encrypted dynamically generated program keysPK and the encrypted modifier message MM are assembled into program keymessage segments PKMS that are forwarded to the receiver. As furtherdiscussed below, the encrypted modification keys MK, an encryptedchecksum, and the encrypted modifier message MM are similarly assembledinto modification key message segments MKMS that are also forwarded tothe receiver.

The modification keys, which are dynamically generated by the programand modification key generator 12, are used with the fixed keys togenerate the message segment keys that are used to encrypt the programkeys, and the checksum is based on the fixed keys stored in the memory20. The checksum, for example, may comprise 128 bits, and may begenerated from all of the fixed keys stored in the memory 20.Accordingly, the receiver can compare the checksum from the transmitterwith a checksum generated from its own fixed keys to check that itsfixed keys match the fixed keys of the transmitter. The checksum couldalso be used to determine errors in transmission.

As indicated above, the program key message segment PKMS and themodification key message segment MKMS give the receiver the informationit requires to decrypt the encrypted program data in the receivedsignal.

FIG. 2 shows the first encryption engine 14 in additional detail. Asshown in FIGS. 1 and 2, the first encryption engine 14 is coupledbetween the PID filter 10 and the output multiplexer 16.

The first encryption engine 14 has three sections 14A, 14B, and 14C. Thesection 14A includes a de-multiplexer 30, memories 32 and 34, and amultiplexer 36. The section 14B includes a RAM delay 38, an encryptionblock 40, and a multiplexer 42. The section 14C includes ade-multiplexer 44, memories 46 and 48, and a multiplexer 50.

The PID filter 10 passes transport packets in the MPEG transport streamto the de-multiplexer 30. The transport packets are de-multiplexed andare stored in the memories 32 and 34 that operate in a ping-pongfashion. The transport packets in the memories 32 and 34 are supplied tothe multiplexer 36.

The multiplexer 36 passes all packets from the memories 32 and 34 toboth the RAM delay 38 and the encryption block 40. These packets includeprogram packets, null packets, and such non-program packets as PIDs,PSIPs, PMTs, and PATs. The encryption block 40 uses the dynamicallygenerated program keys PK to encrypt all packets that it receives andsupplies the encrypted packets to the multiplexer 42. In response to anencrypt flag from the PID filter 10, the multiplexer 42 selects only theencrypted packets from the encryption block 40 which correspond to theselected program or programs that are to be encrypted. It will beunderstood that the MPEG transport stream may contain one or moreprograms and that any one or more of these programs may be flagged forencryption. All other packets (those that do not correspond to theprogram to be encrypted) are selected by the multiplexer 42 from the RAMdelay 38. Thus, the output of the multiplexer 42 is the input MPEGtransport stream except that the packets corresponding to the selectedprogram are encrypted. The multiplexer 42 passes the encrypted andnon-encrypted packets to the de-multiplexer 44.

The encrypted and non-encrypted packets from the de-multiplexer 44 arestored in the memories 46 and 48 that operate in a ping-pong fashion.The encrypted and non-encrypted packets in the memories 46 and 48 aresupplied through the multiplexer 50 to the output multiplexer 16.

The sections 14A and 14C of the first encryption engine 14 arecontrolled so as to maintain proper timing, data flow rates, andsynchronization.

FIG. 3 shows a dynamic program key generator portion 12A of the dynamicprogram key and modification key generator 12 in more detail. Thedynamic program key generator portion 12A includes a seed generator 60that supplies a seed to a random number generator 62. For example, theseed generator 60 can select, on any desired basis, the seed from anyportion of the MPEG transport stream 61, such as video and/or audio, inone or more program data packets.

A de-multiplexer 64 selects four 128 bit random numbers from the randomnumber generator 62 and stores these four 128 bit random numbers as fourdynamically generated program keys in a next portion of a memory 66while the encryption block 40 uses the four dynamically generatedprogram keys previously stored in an active portion of the memory 66 toencrypt program data. Thus, while the four dynamically generated programkeys PK stored in the active portion of the memory 66 are currentlybeing used to encrypt program data, the de-multiplexer 64 selectsanother four 128 bit random numbers from the random number generator 62and stores these additional four 128 bit random numbers as fourdynamically generated program keys PK in the next portion of the memory66.

As explained below in connection with FIG. 14, at the time that amodification key message segment MKMS is transmitted, use of the fourdynamically generated program keys PK stored in the active portion ofthe memory 66 is discontinued, and use of the four new dynamicallygenerated program keys PK stored in the next portion of the memory 66begins. At this transition point, the old next portion of the memory 66becomes the new active portion of the memory 66, and the old activeportion of the memory 66 becomes the new next portion of the memory 66.Also, while these four new dynamically generated program keys PK arebeing used to encrypt program data, four more program keys PK aredynamically generated and stored in the new next portion of the memory66.

A multiplexer 68 supplies the four dynamic program keys from the activeportion of the memory 66 to a key expander 70 such as that shown in FIG.4. As needed, the key expander 70 expands each of the dynamic programkeys PK from 128 bit keys to, for example, 1408 bit expanded keys. Theexpanded dynamic program keys PK are supplied to the encryption block 40of FIG. 2.

The key expander 70 as shown in FIG. 4 includes an inverse key block.This inverse key block is enabled during program encryption and isdisabled during encryption of the program key message segment PKMS andthe modification key message segment MKMS.

In this manner, four dynamically generated program keys PK are used toencrypt program data while the next four program keys PK are beingdynamically generated. The four dynamically generated program keys PKbeing used from the active portion of the memory 66 continue to be useduntil the modification key message segment MKMS is generated.

The time between message segments, for example, can be made dependentupon the availability of null packets in the incoming MPEG transportstream because message segments are transmitted in place of selectednull packets. The PID filter 10 detects the null packet and signalsoutput multiplexer 16 to pass a message segment instead of packets fromthe multiplexer 50.

As shown in FIG. 5, a fixed key selector 80 uses random numbersgenerated by the random number generator 62 in order to address thememory 20 so as to select fixed keys from the memory 20. For example,each fixed key stored in the memory 20 may be 128 bits, and four 32 bitaddress words may be used to read each fixed key from the memory 20.These fixed keys are used to encrypt the program keys and modificationkeys (described in more detail hereinafter) that are sent to thereceiver and that are required by the receiver to decrypt the receivedencrypted program data.

More specifically, three fixed keys are selected from the memory 20 bythe fixed key selector 80 and are stored as fixed keys K_(A) in a fixedkey memory 82. Three more fixed keys are selected from the memory 20 bythe fixed key selector 80 and are stored as fixed keys K_(B) in a fixedkey memory 84. For example, each of these three fixed keys K_(A) andthree fixed keys K_(B) may be 128 bits in length. The three fixed keysK_(A) stored in the fixed key memory 82 and the three fixed keys K_(B)stored in the fixed key memory 84 are selected on the basis of randomaddresses from the random number generator 62.

In addition, three Hash values A, B, and C are selected by the fixed keyselector 80 and are stored in a message segment key and hash valuememory 86. The three Hash values A, B, and C are also selected on thebasis of random addresses from the random number generator 62.

For example, each of the three Hash values A, B, and C may be 64 bits or½ of a fixed key. Moreover, three random numbers from the random numbergenerator 62 are stored in a modification key memory 88 as modificationkeys K_(M). Each of the modification keys, for example, may be 128 bitsin length.

A message segment key generator 90, which is shown in more detail inFIG. 6, includes latches 92 ₁, 92 ₂, and 92 ₃ and a 96×32 look up table94. The latch 92 ₁ latches the first 32 bits of a first of the threefixed keys K_(A) stored in the fixed key memory 82, the latch 92 ₂latches the first 32 bits of a first of the three fixed keys K_(B)stored in the fixed key memory 84, and the latch 92 ₃ latches the first32 bits of a first of the three modification keys K_(M) stored in themodification key memory 88. These 96 latched bits form a 96 bit addressthat reads out the first 32 bits of a first message segment key forstorage in the message segment key and hash value memory 86.

FIG. 6 also shows, in simplified form, four of the look up tables thatare stored in the look up table 94. One of the tables is selected toprovide the three message segment keys that are stored in the messagesegment key and hash value memory 86. The simplified form of table 0 inFIG. 6 shows the relationship between the address and the bits that arestored in table 0. Thus, if the first K_(M) bit of an address is 0 andthe first K_(A) bit of an address is 0 and the first K_(B) bit of anaddress is 0, table 0 will read out a 0 bit for the first bit K₀ of amessage segment key. However, if the first K_(M) bit of an address is 1and the first K_(A) bit of an address is 1 and the first K_(B) bit of anaddress is 0, table 0 will instead read out a 1 bit for the first bit K₀of a message segment key. If the next K_(M) bit of an address is 0 andthe next K_(A) bit of an address is 0 and the next K_(B) bit of anaddress is 0, table 0 will read out a 0 bit for the next bit K₀ of themessage segment key. However, if the next K_(M) bit of an address is 0and the next K_(A) bit of an address is 1 and the next K_(B) bit of anaddress is 0, table 0 will instead read out a 1 bit for the next bit K₀of a message segment key.

The bits that are stored in the tables may have any desired relationshipto their addresses. The relationship may be a random, OR, XOR, AND,NAND, NOT, MUX, ones complement, twos complement, or gray scalerelationship, and each table may bear a different relationship betweenthe address and the stored bits.

After the first 32 bits of the first message segment key are read out ofthe look up table 94 and are stored in the message segment key and hashvalue memory 86, the latch 92 ₁ latches the second 32 bits of the firstof the three fixed keys K_(A) stored in the fixed key memory 82, thelatch 92 ₂ latches the second 32 bits of the first of the three fixedkeys K_(B) stored in the fixed key memory 84, and the latch 92 ₃ latchesthe second 32 bits of the first of the three modification keys K_(M)stored in the modification key memory 88. These 96 latched bits form asecond 96 bit address that reads out the second 32 bits of the firstmessage segment key for storage in the message segment key and hashvalue memory 86.

The third and fourth 32 bits of the first of the three fixed keys K_(A)stored in the fixed key memory 82, of the first of the three fixed keysK_(B) stored in the fixed key memory 84, and of the first of the threemodification keys K_(M) stored in the modification key memory 88 areused to read out the third and fourth 32 bits of the first messagesegment key from the look up table 94. These third and fourth 32 bits ofthe first message segment key are also stored in the message segment keyand hash value memory 86 to form all 128 bits of the first messagesegment key. The second and third message segment keys are similarlyread out of the look up table 94 and stored in the message segment keyand hash value memory 86. These three message segment keys are used toencrypt the program keys. Three other message segment keys are used toencrypt a set of modification keys as explained in more detail below.

As shown in FIG. 5, a multiplexer 96 appropriately multiplexes the fournext dynamically generated program keys PK from the memory 66, a keycontrol 98, the modification keys from the modification key memory 88,the checksum from the memory 20, and a modifier message MM from amodifier message memory 99 to create the program key message segmentPKMS and the modification key message segment MKMS that are discussedmore fully below.

An example of the modifier message MM is shown in FIG. 7. As shown, themodifier message MM contains a 64-bit initial value and a 192 bitcontrol. The use of the initial value is described below. As shown inFIG. 8, the control bits of the modifier message MM comprise, forexample, four bytes for system control, nine bytes for address pointersthat point to memory addresses for the fixed keys and Hash values, andeleven bytes that can be used for any purpose.

The address pointers discussed above point to the addresses in thememory 20 corresponding to (i) the six fixed keys that are stored in thefixed key memories 82 and 84 and that, in selected combinations, areused by the message segment key generator 90 to generate the messagesegment keys A, B, and C stored in the message segment key and hashvalue memory 86 and (ii) the hash values A, B, and C that are alsostored in the message segment key and hash value memory 86. Theseaddress pointers are sent in the modifier message MM to the receiver sothat the receiver can re-generate the message segment keys A, B, and Cand corresponding hash values A, B, and C that are required to decryptthe program keys and modification keys, as explained below.

The 32 bits of the system control of the modifier message MM are shownby way of example in FIG. 9. Bits 0 and 1 are used to designate the copycontrol assigned to the program data. Bits 2-7 are reserved except thatat least one of these reserved bits is set to one value to indicate thatthe corresponding message segment is a modification key message segmentMKMS and is set to another value to indicate that the correspondingmessage segment is a program key message segment PKMS.

When this at least one reserved bit is set to the value that indicatesthat the corresponding message segment is a modification key messagesegment MKMS, the bits K_(M) provided to the look up table 94 are set toa predetermined value such as all zeros while the three message segmentkeys are being produced for storage in the message segment key and hashvalue memory 86. In effect, the message segment keys that are used toencrypt the modification key message segment MKMS are produced withmodification keys having a predetermined value known to both thetransmitter and the receiver.

When the modification keys have this predetermined value, the look uptable 94 may pass only the fixed keys K_(A) as the message segment keys.Alternatively, when the modification keys have this predetermined value,the look up table 94 could instead pass only the fixed keys K_(B) as themessage segment keys, or the look up table 94 could read out messagesegment keys on the basis of both the fixed keys K_(A) and K_(B) fromthe fixed key memories 82 and 84. These alternatives are based on whichof the tables in look up table 94 is selected as indicated by bits 8-11of the system control of the modifier message MM as discussed below. Themessage segment keys produced with these modification keys having thepredetermined value are used to encrypt the modification key messagesMK1, MK2, and MK3 and the checksum message CRC.

When this at least one reserved bit is set to the value that indicatesthat the corresponding message segment is a program key message segmentPKMS, the bits K_(M) provided to the look up table 94 are the randomlygenerated modification keys stored in the modification key memory 88,and these randomly generated modification keys are used along with thefixed keys K_(A) and K_(B) to produce the three message segment keysstored in the message segment key and hash value memory 86. Thus, themessage segment keys that are used to encrypt the program key messagesegment PKMS are produced with the randomly generated modification keysstored in the modification key memory 88 in addition to the fixed keysK_(A) and K_(B) from the fixed key memories 82 and 84. The messagesegment keys produced with the randomly generated modification keysstored in the modification key memory 88 are used to encrypt the programkey messages PK1, PK2, PK3, and PK4.

The fixed keys used to generate the message segment keys that encryptthe program key message segment PKMS may be the same as or differentfrom the fixed keys used to generate the message segment keys thatencrypt the modification key message segment MKMS.

Bits 8, 9, 10, and 11 designate which one of the sixteen possible tablesstored in the look up table 94 is used to produce the message segmentkeys stored in the message segment key and hash value memory 86.

Bits 12-15 may be used for any purpose such as indicating to thereceiver a particular program key rotation, as discussed below.

Bits 16-31 are a checksum produced by a CRC generator of the modifiermessage memory 99. Specifically, the CRC generator of the modifiermessage memory 99 applies a CRC code to bits 0-15 of the system controlbyte shown in FIG. 9 in order to generate a checksum. This checksumcomprises bits 16-31 as shown in FIG. 9. The CRC generator appends thischecksum to the unmodified bits 0-15 to form the full system control ofthe modifier message MM. This full system control of the modifiermessage MM is used by the receiver to determine if the program keymessage segment PKMS and/or the modification key message segment MKMS isnot properly received due, for example, to noise in the channel and isdescribed in more detail below.

As shown in FIG. 5, a multiplexer 100 receives the message segment keysand hash values stored in the message segment key and hash value memory86. The multiplexer 100 also receives three fixed keys A′, B′, and C′and three Hash values A′, B′, and C′ stored in a memory 102. Forexample, the three fixed keys A′, B′, and C′ stored in the memory 102each comprises a 128 bit fixed key, and the three Hash values A′, B′,and C′ stored in the memory 102 each comprises a 64 bit Hash value.

The multiplexers 96 and 100 operate in conjunction with the secondencryption engine 18 to encrypt the encrypted portion of the messagesegments MS shown in FIG. 10. In the case of the program key messagesegment PKMS, the encrypted portion of the message segment MS shown inFIG. 10 includes the modifier message MM, and four program key messagesKM1, KM2, KM3, and KM4. In the case of the modification key messagesegment MKMS, the encrypted portion of the message segment MS shown inFIG. 10 includes the modifier message MM, the three modification keymessages MK1, MK2, and MK3, and the fixed key checksum CRC. The modifiermessages MM include the initial value and the 192 bit control as shownin FIGS. 7 and 8. The initial value, for example, may include 64predetermined arbitrary bits.

In order to encrypt the modifier message MM, the multiplexer 100 passesthe three fixed keys A′, B′, and C′ and the three Hash values A′, B′,and C′ from the memory 102 through a key expander 104 to the secondencryption engine 18. The key expander 104, for example, may be similarto the key expander 70 and expands only the fixed keys A′, B′, and C′.The key expander 104 does not expand the Hash values A′, B′, and C′.Also, the multiplexer 96 passes the modifier message MM to the secondencryption engine 18.

The second encryption engine 18 is shown in more detail in FIG. 11. TheHash value A′ is applied to an EXCLUSIVE OR 106, the Hash value B′ isapplied to an EXCLUSIVE OR 108, and the Hash value C′ is applied to anEXCLUSIVE OR 110. The EXCLUSIVE ORs 106, 108, and 110 bit-wise processtheir respective inputs. The expanded fixed key A′ is applied to an AESencrypter 112, the expanded fixed key B′ is applied to an AES encrypter114, and the expanded fixed key C′ is applied to an AES encrypter 116.

The initial value of the modifier message MM is applied to the EXCLUSIVEOR 106, a first ⅓ of the control bits of the modifier message MM isapplied to the AES encrypter 112, a second ⅓ of the control bits of themodifier message MM is applied to the AES encrypter 114, and a third ⅓of the control bits of the modifier message MM is applied to the AESencrypter 116.

The AES encrypter 112 encrypts an output of the EXCLUSIVE OR 106 and thefirst ⅓ of the control bits of the modifier message MM according to theexpanded fixed key A′, and supplies half of the encryption result to theEXCLUSIVE OR 108 and the other half as the second ¼ of the encryptedmodifier message MM. The AES encrypter 114 encrypts an output of theEXCLUSIVE OR 108 and the second ⅓ of the control bits of the modifiermessage MM according to the expanded fixed key B′, and supplies half ofthe encryption result to the EXCLUSIVE OR 110 and the other half as thethird ¼ of the encrypted modifier message MM. The AES encrypter 116encrypts an output of the EXCLUSIVE OR 110 and the third ⅓ of thecontrol bits of the modifier message MM according to the expanded fixedkey C′, and supplies half of the encryption result as the first ¼ of theencrypted modifier message MM and the other half as the fourth ¼ of theencrypted modifier message MM.

Each key message in the program key message segment PKMS has the exampleconstruction of FIG. 12. According to this example, a program keymessage KM1 includes a 64-bit initial value, which may be same initialvalue as discussed above or a different initial value, a 64-bit keycontrol 98, and one of the 128-bit program keys divided into two 64-bitportions. The program key messages KM2, KM3, and KM4 containing theother three program keys are similarly constructed.

The key control 98 is used to designate whether the key message containsa program key, a modification key, or the checksum.

In order to encrypt the program key message KM1, the multiplexer 100passes the three message segment keys A, B, and C and the three Hashvalues A, B, and C from the message segment key and hash value memory 86through the key expander 104 to the second encryption engine 18. Asexplained above, the three message segment keys A, B, and C that areused to encrypt the program key messages are the message segment keysread out of the table 94 by use of the randomly generated modificationkeys K_(M) stored in the modification key memory 88, the fixed keysK_(A) from the fixed key memory 82, and the fixed keys K_(B) from thefixed key memory 84. The key expander 104 expands only the messagesegment keys A, B, and C. The key expander 104 does not expand the Hashvalues A, B, and C. Also, the multiplexer 96 passes the first of thefour dynamically generated program keys from the next portion of thememory 66 to the second encryption engine 18.

In the second encryption engine 18, the Hash value A is applied to theEXCLUSIVE OR 106, the Hash value B is applied to the EXCLUSIVE OR 108,and the Hash value C is applied to the EXCLUSIVE OR 110. The expandedmessage segment key A is applied to the AES encrypter 112, the expandedmessage segment key B is applied to the AES encrypter 114, and theexpanded message segment key C is applied to the AES encrypter 116. Theinitial value is applied to the EXCLUSIVE OR 106, the control word isapplied to the AES encrypter 112, a first ½ of the first of the fourdynamically generated program keys is applied to the AES encrypter 114,and a second half of the first of the four dynamically generated programkeys is applied to the AES encrypter 116.

The AES encrypter 112 encrypts an output of the EXCLUSIVE OR 106 and thecontrol word according to the expanded message segment key A, andsupplies half of the encryption result to the EXCLUSIVE OR 108 and theother half as the second ¼ of the program key message KM1. The AESencrypter 114 encrypts an output of the EXCLUSIVE OR 108 and the first ½of the first of the four dynamically generated program keys according tothe expanded message segment key B, and supplies half of the encryptionresult to the EXCLUSIVE OR 110 and the other half as the third ¼ of theprogram key message KM1. The AES encrypter 116 encrypts an output of theEXCLUSIVE OR 110 and the second ½ of the first of the four dynamicallygenerated program keys according to the expanded message segment key C,and supplies half of the encryption result as the first ¼ of the programkey message KM1 and the other half as the fourth ¼ of the program keymessage KM1.

The other three program key messages KM2, KM3, and KM4 are similarlygenerated.

Each modification key message in the modification key message segmentMKMS also has the example construction of FIG. 12. According to thisexample, a modification key message MK1 includes a 64-bit initial value,which may be same initial value as discussed above or a differentinitial value, a 64-bit key control 98, and one of the 128-bitmodification keys divided into two 64-bit portions. The modification keymessages MK2 and MK3 containing the other two modification keys aresimilarly constructed.

Again, the key control 98 is used to designate whether the key messagecontains a program key, a modification key, or the checksum.

In order to encrypt the modification key message MK1, the multiplexer100 passes the three message segment keys A, B, and C and the three Hashvalues A, B, and C from the message segment key and hash value memory 86through the key expander 104 to the second encryption engine 18. Asexplained above, the three message segment keys A, B, and C that areused to encrypt the modification key messages are the message segmentkeys read out of the table 94 by use of the modification keys with thepredetermined value. Thus, the fixed keys K_(A) from the fixed keymemory 82 may be read out of the table 94 as the message segment keys.Alternatively, as explained above, the fixed keys K_(B) from the fixedkey memory 84 can be read out of the table 94 as the message segmentskeys or a combination of the fixed keys K_(A) and K_(B) can be used toread out the message segment keys from the table 94. The key expander104 expands only the message segment keys A, B, and C. The key expander104 does not expand the Hash values A, B, and C. Also, the multiplexer96 passes the first of the modification keys from the modification keymemory 88 to the second encryption engine 18.

The Hash values A, B, and C are applied to the EXCLUSIVE ORs 106, 108,and 110 as before. Also, the expanded message segment keys A, B, and Care applied to the AES encrypters 112, 114, and 116 as before. Theinitial value is applied to the EXCLUSIVE OR 106, the control word isapplied to the AES encrypter 112, a first ½ of the first of the threemodification keys is applied to the AES encrypter 114, and a second halfof the first of the three modification keys is applied to the AESencrypter 116.

The AES encrypter 112 supplies half of its encryption result to theEXCLUSIVE OR 108 and the other half as the second ¼ of the modificationkey message MK1. The AES encrypter 114 supplies half of its encryptionresult to the EXCLUSIVE OR 110 and the other half as the third ¼ of themodification key message MK1. The AES encrypter 116 supplies half of itsencryption result as the first ¼ of the modification key message MK1 andthe other half as the fourth ¼ of the modification key message MK1.

The other two modification key messages MK2 and MK3 and the checksummessage CRC are similarly generated.

The output multiplexer 16 of FIG. 1 muxes the encrypted program data,the MPEG PID header from the transport stream, 192 clock bits which maybe supplied by a separate generator and which may be the SMPTE time code(if any), and 20 forward error correction bytes from the transportstream with the encrypted program key message segment PKMS and theencrypted modification key message segment MKMS to form the encryptedtransport stream. Each of the program key message segment PKMS and themodification key message segment MKMS is contained in a correspondingcomplete ATSC data segment.

The second encryption engine 18 generates the message segments MS inpairs, i.e., the program key message segment PKMS and the modificationkey message segment MKMS. This pair of message segments MS is shown inFIG. 13. The modifier message MM in each message segment MS is providedin accordance with FIGS. 8 and 9. The first message segment shown inFIG. 13 is the modification key message segment MKMS and contains anencrypted form of the three modification keys stored in the modificationkey memory 88 and the checksum (CRC) from the memory 20. The secondmessage segment shown in FIG. 13 is the program key message segment PKMSand contains an encrypted form of the four encrypted new program keys tobe applied by the receiver to decrypt the encrypted program data.

Thus, as shown in FIG. 10, the modifier message MM and the four programkey messages KM1, KM2, KM3, and KM4 of the program key message segmentPKMS are encrypted. Similarly, the modifier message MM, the threemodification key messages MK1, MK2, and MK3, and the checksum messageCRC of the modification key message segment MKMS are encrypted.

The four byte header of the message segment MS shown in FIG. 10 is theMPEG PID. The modifier message MM includes the message control bytesshown in FIG. 9. This control byte identifies the message segment MS ina pair either as the program key message segment PKMS or as themodification key message segment MKMS, as explained above.

FIG. 14 shows the relative message pair transmission and receptiontiming upon which key synchronization is determined. Upon the occurrenceof event 1, which may be a null packet in the MPEG transport stream, aprogram key message segment PKMS as shown in FIG. 14 is transmitted. Thereceiver receives this program key message segment PKMS, decrypts it,and stores the program keys that were contained in the program keymessage segment PKMS as next program keys. However, the receiver doesnot start using these next program keys yet.

After the transmitter transmits the program key message segment PKMS,the encryption encoder 8 of the transmitter makes the three modificationkeys and the modifier message MM, and encrypts the modifier message MMand the three modification keys using the message segment keys and theHash values as described above. The encryption encoder 8 then assemblesthe modification key message segment MKMS containing the encryptedmodifier message MM and the three modification keys as described above.When a null packet is detected (event 2), the transmitter transmits themodification key message segment MKMS in place of the null packet and,at the same time, the encryption encoder 8 begins using the next programkeys stored in the memory 66 as the active program keys to encryptprogram data. Thus, the next program keys become the active programkeys.

At the same time, the receiver receives this modification key messagesegment MKMS and immediately begins using its previously stored nextprogram keys as the active program keys to decrypt program content.Accordingly, the replacement of the active program keys with the nextprogram keys is made at the same time in the transmitter and receiver sothat the transmitter and receiver use the same program keys to encryptand decrypt the same program content.

After the transmitter transits the modification key message segment MKMSand switches program keys, the encryption encoder 8 of the transmittermakes new program keys, and saves the new program keys in the memory 66as the next program keys. The encryption encoder 8 encrypts the newprogram keys and assembles another program key message segment PKMScontaining the new program keys and waits for an opportunity (event 3such as a null packet) to transmit this program key message segmentPKMS.

While the encryption encoder 8 of the transmitter makes new programkeys, saves the new program keys, and assembles the next program keymessage segment PKMS, the receiver decrypts the modification key messagesegment MKMS that it has just received, and saves the modifier messageMM and the modification keys contained in this message.

During segments in which the encryption encoder 8 is not transmittingprogram key message segments PKMS and modification key message segmentsMKMS, the encryption encoder 8 is using the active program keys toencrypt program data and is transmitting the encrypted program data tothe receiver.

During segments in which the receiver is not receiving program keymessage segments PKMS and modification key message segments MKMS, thereceiver is using the active program keys to decrypt program data.

In an embodiment where message transmission and key use is synchronizedto the occurrence of null packets, there may be occasions when nullpackets are occurring with an undesirably high frequency. For example,during periods where there is little action in the video, many nullpackets can occur during a single frame. Therefore, it may be desirableto add a delay function such that message transmission and key switchingdoes not occur more often than a predetermined frequency. For example,this delay function may be set so that message transmission and keyswitching does not occur more often than once per two or three ATSCframes.

During encryption of program data, the encryption block 40 rotates thefour active program keys PK. FIG. 15 shows the rotation. As shown inFIG. 16, each program data segment of a field to be transmitted to thereceiver includes a non-encrypted four byte MPEG header that identifiesthe segment as a program data segment, eleven blocks each containingencrypted 128 bits of program data, eight bytes of non-encrypted programdata, and twenty bytes of non-encrypted forward error correction data.

As shown in FIG. 15, the four active program keys A, B, C, and D areapplied in the following order to the eleven blocks of data in the firstprogram data segment: A, B, C, D, A, B, C, D, A, B, C. Accordingly, theactive program key A is applied to the first of the eleven blocks ofdata to be encrypted, the active program key B is applied to the secondof the eleven blocks of data to be encrypted, . . . , and the activeprogram key C is applied to the eleventh of the eleven blocks of data tobe encrypted.

This same rotation scheme ABCDABCDABC can be used for the next andsubsequent program data segments of a field.

Alternatively, the next program data segment can continue the rotation.Thus, the active program keys A, B, C, and D are applied in thefollowing order to the eleven blocks of data to be encrypted in thesecond program data segment: D, A, B, C, D, A, B, C, D, A, B.Accordingly, the active program key D is applied to the first of theeleven blocks of data to be encrypted, the active program key A isapplied to the second of the eleven blocks of data to be encrypted, . .. , and the active program key B is applied to the eleventh of theeleven blocks of data to be encrypted. The rotation can then becontinued for subsequent program data segments as indicated by FIG. 15.

As a further alternative, other rotation sequences can be used. Bits12-15 of the system control byte shown in FIG. 9 can be used to indicateto the receiver the particular rotation being used in the transmitter.

The output multiplexer 16 transmits encrypted program data segmentscontinuously until an opportunity (event) arises for transmitting amessage segment MS (either a program key message segment PKMS or amodification key message segment MKMS). The occurrence of a null packetgives rise to the opportunity for transmitting one of these messagesegments, the occurrence of the next null packet gives rise to theopportunity for transmitting the other of the message segments MS in thepair, and so on. An objective may be established for transmitting amessage segment MS on a periodic basis dependent upon the occurrence ofa null packet. For example, the objective may be to transmit a messagesegment MS no more often than once per field of 312 segments.

An example decryption decoder 180 of a copy protection receiver is shownin FIG. 17. The decryption decoder 180 includes a PID filter 182 that,based on PID numbers, detects and forwards encrypted program data to afirst decryption engine 184 and detects and forwards program key messagesegments PKMS and modification key message segments MKMS to a seconddecryption engine 186. The first decryption engine 184 performs a singlewrap decryption process which is complementary to the single wrapencryption process performed by the first encryption engine 14.

When the modification key message segment MKMS is received, the seconddecryption engine 186 decrypts (unwraps) this message segment in orderto recover the modification keys and the fixed key and hash valueaddresses of a memory 188. A fixed key selector and message segment keygenerator 190 uses these fixed key and hash value addresses to retrievefixed keys and hash values from the memory 188. In the case ofdecrypting the modification key message segment MKMS, the fixed keyselector and message segment key generator 190 uses the fixed keys andhash values retrieved from the memory 188 along with the a prior knownmodification keys, i.e., the modification keys having the knownpredetermined value, in order to regenerate the message segment keysthat were used in the encryption encoder 8 to encrypt the modificationkeys and the checksum message CRC and that are required by thedecryption decoder 180 to decrypt the encrypted modification keys andthe checksum message CRC. In the case of decrypting the program keymessage segment PKMS, the fixed key selector and message segment keygenerator 190 uses the fixed keys and hash values retrieved from thememory 188 based on the memory addresses contained in the modifiermessage of the program key message segment PKMS along with the decryptedmodification keys in order to regenerate the message segment keys thatwere used in the encryption encoder 8 to encrypt the program keys andthat are required by the decryption decoder 180 to decrypt the encryptedprogram key messages KM1, KM2, KM3, and KM4.

When the program key message segment PKMS is received, the seconddecryption engine 186 decrypts program keys in the message segment MSusing the message segment keys from the fixed key selector and messagesegment key generator 190 and stores the decrypted program keys in thenext portion of a memory 192. In the meantime, the first decryptionengine 184 uses the active program keys stored in the memory 192 todecrypt the encrypted data from the program data segments of the fieldbeing received.

As shown in FIG. 18, the first decryption engine 184 includes threesections 184A, 184B, and 184C. The section 184A includes ade-multiplexer 200, memories 202 and 204, and a multiplexer 206. Thesection 184B includes a memory 208, a decryption block 210, and amultiplexer 212. The section 184C includes a de-multiplexer 214,memories 216 and 218, and a multiplexer 220. The sections 184A, 184B,and 184C are controlled by the PID filter 182.

The PID filter 182 passes all packets in the MPEG transport stream tothe de-multiplexer 200. All packets are de-multiplexed and are stored inthe memories 202 and 204 that operate in a ping-pong fashion. Allpackets in the memories 202 and 204 are supplied to the multiplexer 206.

The multiplexer 206 passes all packets from the memories 202 and 204 tothe memory 208 and to the decryption block 210. These packets includeprogram packets (one or more of which may be encrypted), messagesegments, and such non-program packets as PIDs, PSIPs, PMTS, and PATs.The decryption block 210 uses the decrypted program keys PK to decryptall packets that it receives and supplies the decrypted packets to themultiplexer 212. The multiplexer 212, in response to a decryption flagfrom the PID filter 182, selects only the decrypted packets from thedecryption block 210 which correspond to the selected program orprograms that were to be decrypted. All other packets (those that do notcorrespond to the program to be decrypted) are selected by themultiplexer 212 from the memory 208. Thus, the output of the multiplexer212 is the original MPEG transport stream less null packets andincluding message segments. The multiplexer 212 passes the decrypted andnon-encrypted packets to the de-multiplexer 214.

The decrypted and non-encrypted packets from the de-multiplexer 214 arestored in the memories 216 and 218 that operate in a ping-pong fashion.The decrypted and non-encrypted packets in the memories 216 and 218 aresupplied through the multiplexer 220 to a null inserter 222.

The null inserter 222 is controlled by the PID filter 182 to remove theprogram key message segments PKMS and the modification key messagesegments MKMS from the transport stream, and to insert null packets backinto the transport stream in place of the removed program key messagesegments PKMS and the removed modification key message segments MKMS.The output of the null inserter is the decrypted MPEG transport stream.

The sections 184A and 184C of the first decryption engine 184 arecontrolled by the message packets so as to maintain proper timing, dataflow rates, and synchronization.

The fixed key selector and message segment key generator 190 is shown inmore detail in FIG. 19. As shown in FIG. 19, the program key messagesegments PKMS and the modification key message segments MKMS aresupplied to the second decryption engine 186. Each of these messagesegments has the form shown in FIG. 10. Accordingly, as shown in FIG.20, the modifier message MM in the received message segment is decryptedusing the three fixed keys A′, B′, and C′ and the three Hash values A′,B′, and C′ which are stored in a memory 230. The three fixed keys A′,B′, and C′ and the three Hash values A′, B′, and C′ stored in memory 230are the same fixed keys and Hash values that are stored in the memory102.

The decrypted modifier message MM indicates to the receiver, inter alia,whether the corresponding message segment is a program key messagesegment PKMS or a modification key message segment MKMS. If thecorresponding message segment is a program key message segment PKMS, thereceiver knows to use the decrypted modification keys K_(M) as well asthe fixed keys K_(A) and K_(B) to produce that the message segment keysthat are required for decryption of the program key messages. If thecorresponding message segment is a modification key message segmentMKMS, the receiver knows to use the known modification keys having thepredetermined value in order to read out the fixed keys K_(A), K_(B), orsome combination of K_(A) and K_(B) as the message segment keys that arerequired for decryption of the modification key messages and thechecksum message CRC.

In order to decrypt the modifier message MM in a received one of themodification key message segments MKMS or the program key messagesegments PKMS, a multiplexer 232 passes the three fixed keys A′, B′, andC′ and the three Hash values A′, B′, and C′ from the memory 230 througha key expander 234 to the second encryption engine 186. The key expander234, for example, may be similar to the key expander 104 and expandsonly the fixed keys A′, B′, and C′. The key expander 234 does not expandthe Hash values A′, B′, and C′.

The second encryption engine 186 which performs an operationcomplementary to that performed by the encryption engine 18 is shown inmore detail in FIG. 20. As shown in FIG. 20, the Hash value C′ isapplied to an EXCLUSIVE OR 236, the Hash value B′ is applied to anEXCLUSIVE OR 238, and the Hash value A′ is applied to an EXCLUSIVE OR240. The EXCLUSIVE ORs 236, 238, and 240 bit-wise process theirrespective inputs. The expanded fixed key C′ is applied to an AESdecrypter 242, the expanded fixed key B′ is applied to an AES decrypter244, and the expanded fixed key A′ is applied to an AES decrypter 246.

The first ¼ of the encrypted modifier message MM is applied to the AESdecrypter 242, the second ¼ of the encrypted modifier message MM isapplied to the AES decrypter 246, the third ¼ of the encrypted modifiermessage MM is applied to the AES decrypter 244, and the fourth ¼ of theencrypted modifier message MM is applied to the AES decrypter 242.

The AES decrypter 242 decrypts the first ¼ and the fourth ¼ of theencrypted modifier message MM according to the expanded fixed key C′,and supplies half of the decryption result to the EXCLUSIVE OR 236 andthe other half as the third ⅓ of the control bits of the decryptedmodifier message MM. The AES decrypter 244 decrypts an output of theEXCLUSIVE OR 236 and the third ¼ of the encrypted modifier message MMaccording to the expanded fixed key B′, and supplies half of thedecryption result to the EXCLUSIVE OR 238 and the other half as thesecond ⅓ of the control bits of the decrypted modifier message MM. TheAES encrypter 246 decrypts an output of the EXCLUSIVE OR 238 and thesecond ¼ of the encrypted modifier message MM according to the expandedfixed key A′, and supplies half of the encryption result to theEXCLUSIVE OR 240 and the other half as the first ⅓ of the decryptedmodifier message MM. The output of the EXCLUSIVE OR 240 is the initialvalue of the modifier message MM. If this initial value is not the sameinitial value that was used during encryption of the modifier messageMM, then the encryption/decryption process has an error that indicateserroneous message decryption.

As shown in FIG. 19, a multiplexer 250 applies the control bits of thedecrypted modifier message MM to a modifier message decoder 252.

After decryption of the modifier message MM, the multiplexer 232 passesthe three message segment keys A, B, and C and the three hash values A,B, and C stored in a message segment key memory 254 to the key expander234. When the modification key message segment MKMS is being decrypted,these three message segment keys are produced with the modification keyshaving the predetermined value. The key expander expands only the threemessage segment keys A, B, and C, it does not expand the three hashvalues A, B, and C. The three expanded message segment keys A, B, and Cand the three hash values A, B, and C are used by the second decryptionengine 186 to decrypt the modification key message MK1 in the receivedmodification key message segment MKMS. As indicated above, each of thethree modification key messages MK1, MK2, and MK3 and the checksummessage CRC has the format shown in FIG. 12, and the control of each ofthe messages is the key control 98 that indicates whether the particularmessage is a program key message, a modification key message, or achecksum message.

As shown in FIG. 20, the Hash value C is applied to the EXCLUSIVE OR236, the Hash value B is applied to the EXCLUSIVE OR 238, and the Hashvalue A is applied to the EXCLUSIVE OR 240. The expanded fixed key C isapplied to the AES decrypter 242, the expanded fixed key B is applied tothe AES decrypter 244, and the expanded fixed key A is applied to theAES decrypter 246.

The first ¼ of the encrypted modification key message MK1 is applied tothe AES decrypter 242, the second ¼ of the encrypted modification keymessage MK1 is applied to the AES decrypter 246, the third ¼ of theencrypted modification key message MK1 is applied to the AES decrypter244, and the fourth ¼ of the encrypted modification key message MK1 isapplied to the AES decrypter 242.

The AES decrypter 242 supplies half of its decryption result to theEXCLUSIVE OR 236 and the other half as the second ½ of the decryptedmodification key MK1. The AES decrypter 244 supplies half of itsdecryption result to the EXCLUSIVE OR 238 and the other half as thefirst ½ of the decrypted modification key. The AES encrypter 246supplies half of its encryption result to the EXCLUSIVE OR 240 and theother half as the control of the decrypted modification key. The outputof the EXCLUSIVE OR 240 is the initial value of the modification keymessage. If this initial value is not the same initial value that wasused during encryption of the modification key MK1, then theencryption/decryption process has an error that indicates the need forremedial action.

The decryption engine 186 similarly decrypts the modification keymessages MK2 and MK3 and the checksum message CRC. The multiplexer 250passes the controls and the checksum as indicated in FIG. 19, and passesthe modification keys for storage in a modification key memory 256.

Following decryption of the received modification key message segmentMKMS, the fixed key selector and message segment key generator 190 canbegin generating new message segment keys that will be used to decryptthe programs keys from the next received program key message segmentPKMS.

The modifier message decoder 252 decodes the received and decryptedmodifier message MM in each of the message segments to determine theaddresses according to the modifier message format and definition shownin FIGS. 8 and 9. The fixed key selector 260 uses these addresses toselect, from the memory 188, the same three K_(A) keys, the same threeK_(B) fixed keys, and the same three Hash values A, B, and C that wereused to produce the message segment keys A, B, and C that were used toencrypt the message segments PKMS and MKMS in the encryption encoder 8.A first key memory 262 stores the selected three K_(A) keys, a secondfixed key memory 264 stores the selected three fixed K_(B) keys, and themessage segment key memory 254 stores the selected three Hash values A,B, and C.

A message segment key generator 266 may have the same construction asthe message segment key generator 90 shown in FIG. 6. Accordingly, thelatch 92 ₁ latches the first 32 bits of a first of the three fixed keysK_(A) stored in the fixed key memory 262, the latch 92 ₂ latches thefirst 32 bits of a first of the three fixed keys K_(B) stored in thefixed key memory 264, and the latch 92 ₃ latches the first 32 bits of afirst of the three modification keys K_(M) stored in the modificationkey memory 256 when message segment keys are being produced to decryptprogram keys (otherwise, the modification keys having the predeterminedvalue are used to generate message segment keys to decrypt modificationkeys). These 96 latched bits form a 96 bit address that reads out thefirst 32 bits of a first message segment key for storage in the messagesegment key memory 254.

The same table that was selected in the transmitter is selected in thereceiver to provide the three message segment keys that are stored inthe message segment key memory 254.

After the first 32 bits of the first message segment key are read out ofthe look up table 94 and are stored in the message segment key memory254, the latch 92 ₁ latches the second 32 bits of the first of the threefixed keys K_(A) stored in the fixed key memory 262, the latch 92 ₂latches the second 32 bits of the first of the three fixed keys K_(B)stored in the fixed key memory 264, and the latch 92 ₃ latches thesecond 32 bits of the first of the three modification keys K_(M) storedin the modification key memory 256 when message segment keys are beingproduced to decrypt program keys (otherwise, the modification keyshaving the predetermined value are used to generate message segment keysto decrypt modification keys). These 96 latched bits form a second 96bit address that reads out the second 32 bits of the first messagesegment key for storage in the message segment key memory 254.

The third and fourth 32 bits of the first of the three fixed keys K_(A)stored in the fixed key memory 262, of the first of the three fixed keysK_(B) stored in the fixed key memory 264, and of the first of the threemodification keys K_(M) stored in the modification key memory 256 areused to read out the third and fourth 32 bits of the first messagesegment key from the look up table 94 when message segment keys arebeing produced to decrypt program keys (otherwise, the modification keyshaving the predetermined value are used to generate message segment keysto decrypt modification keys. These third and fourth 32 bits of thefirst message segment key are also stored in the message segment keymemory 254 to form all 128 bits of the first message segment key. Thesecond and third message segment keys are similarly read out of the lookup table 94 and stored in the message segment key memory 254.

When the next program key message segment PKMS is received, the modifiermessage MM in the received message segment MS is decrypted as beforeusing the fixed keys A′, B′, and C′ and the Hash values A′, B′, and C′stored in the memory 230. Then, the multiplexer 232 passes the threemessage segment keys A, B, and C and the three Hash values A, B, and Cfrom the message segment key memory 254 through the key expander 234 tothe second encryption engine 186. The key expander 234 expands only themessage segment keys A, B, and C. The key expander 234 does not expandthe Hash values A, B, and C.

In the second encryption engine 186, the Hash value C is applied to theEXCLUSIVE OR 236, the Hash value B is applied to the EXCLUSIVE OR 238,and the Hash value A is applied to the EXCLUSIVE OR 240. The expandedfixed key C is applied to the AES decrypter 242, the expanded fixed keyB is applied to the AES decrypter 244, and the expanded fixed key A isapplied to the AES decrypter 246.

The first ¼ of the encrypted first program key message KM1 is applied tothe AES decrypter 242, the second ¼ of the encrypted first program keymessage KM1 is applied to the AES decrypter 246, the third ¼ of theencrypted first program key message KM1 is applied to the AES decrypter244, and the fourth ¼ of the encrypted first program key message KM1 isapplied to the AES decrypter 242.

The AES decrypter 242 decrypts the first ¼ and the fourth ¼ of theencrypted first program key message KM1 message according to theexpanded fixed key C, and supplies half of the decryption result to theEXCLUSIVE OR 236 and the other half as the second ½ of the first programkey of the decrypted first program key message KM1. The AES decrypter244 decrypts an output of the EXCLUSIVE OR 236 and the third ¼ of theencrypted first program key message KM1 according to the expanded fixedkey B, and supplies half of the decryption result to the EXCLUSIVE OR238 and the other half as the first ½ of the first program key of thedecrypted first program key message KM1. The AES encrypter 246 decryptsan output of the EXCLUSIVE OR 238 and the second ¼ of the encryptedfirst program key message KM1 according to the expanded fixed key A, andsupplies half of the encryption result to the EXCLUSIVE OR 240 and theother half as the control of the decrypted first program key messageKM1. The output of the EXCLUSIVE OR 240 is the initial value of thefirst program key message KM1. If this initial value is not the sameinitial value as was used during encryption of the first program keymessage KM1, then the encryption/decryption process has an error thatindicates the need for remedial action.

The other three program key messages KM2, KM3, and KM4 are similarlydecrypted.

The multiplexer 250 of FIG. 19 passes these four program keys to thenext portion of the memory 192 and passes the control of each of thedecrypted program key messages KM1, KM2, KM3, and KM4.

A multiplexer 270 passes the active program keys, using the rotationdiscussed above in relation to FIGS. 15 and 16, through a key expander272 to the decryption block 210 so that the appropriate data can bedecrypted. The key expander 272 may be constructed in accordance withFIG. 4. As in the case of key expander 70, the key expander 272 alsoincludes an inverse key block. This inverse key block is disabled duringprogram decryption and is enabled during decryption of the program keymessage segment PKMS and the modification key message segment MKMS.

While the active keys from the active portion of the memory 192 arebeing used by the decryption block 210 to decrypt data, the next programkeys are received and stored in the next portion of the memory 192.

The modifier message decoder 252 also decodes the full system control ofthe received and decrypted modifier message MM. As discussed above, thesystem control of the modifier message MM is shown in FIG. 9.Accordingly, the modifier message decoder 252 applies the same CRC codeas the encoder to bits 0-15 of the system control of the modifiermessage MM in the received message segment PKMS or MKMS in order torecalculate the checksum bits 16-31. The receiver compares therecalculated checksum from bits 0-15 to the checksum bits 16-31 in thereceived system control. If the recalculated ckecksum from bits 0-15 andthe received checksum bits 16-31 do not match, the received messagesegment is treated as the next message segment expected to be receivedin the sequence of received message segments.

Also, the modifier message decoder 252 uses the decoded bits 12-15 ofthe system control to determine the program key rotation that should beused by the decryption block 210 to decrypt the encrypted programpackets as shown by the line extending from the modifier message decoder252 to the control of the multiplexer 270 which selects the next activekey to be used.

Certain modifications of the present invention have been discussedabove. Other modifications of the present invention will occur to thosepracticing in the art of the present invention. For example, thememories as described above may be ROMs, RAMs, non-volatile RAMs, and/orany other suitable memory devices.

Furthermore, as disclosed above, a 96×32 look up table 94 is used toproduce the message segment keys. Accordingly, 96 address bits are usedto read 32 bits of a message segment key. Instead, other look up tablesand addressing schemes may be used to produce the message segment keys.For example, a 384×128 look up table can be used to produce the messagesegment keys. Accordingly, 384 address bits comprising 128 K_(M) bits,128 K_(A) bits, and 128 K_(B) bits are used to read a 128 bit messagesegment key. Whichever look up table and addressing scheme is used inthe transmitter, the same look up table and addressing scheme should beused in the receiver.

Accordingly, the description of the present invention is to be construedas illustrative only and is for the purpose of teaching those skilled inthe art the best mode of carrying out the invention. The details may bevaried substantially without departing from the spirit of the invention,and the exclusive use of all modifications which are within the scope ofthe appended claims is reserved.

1. An encryption method performed by a transmitter comprising:encrypting data by use of data keys; encrypting the data keys based onfirst message segment keys, wherein the first message segment keys aregenerated from first modification keys and first fixed keys, wherein thefirst modification keys are randomly generated, and wherein the firstfixed keys are randomly selected from a memory; encrypting the firstmodification keys based on second message segment keys, wherein thesecond message segment keys are generated from second modification keysand second fixed keys, wherein the second modification keys havepredetermined values known to both the transmitter and a receiver;transmitting the encrypted data, the encrypted data keys, and theencrypted first modification keys to the receiver.
 2. The encryptionmethod of claim 1 wherein the second fixed keys are randomly selectedfrom a memory.
 3. The encryption method of claim 1 further comprisingtransmitting memory addresses for the first fixed keys to the receiver.4. The encryption method of claim 1 wherein the data keys comprisesrandomly generated data keys.
 5. The encryption method of claim 1wherein the second fixed keys are different than the first fixed keys.6. The encryption method of claim 1 wherein the first message segmentkeys are generated from the first modification keys and the first fixedkeys in accordance with a logic function.
 7. An encryption methodperformed by a transmitter comprising: encrypting data by use of datakeys; encrypting the data keys based on first message segment keys,wherein the first message segment keys are generated from firstmodification keys and first fixed keys, wherein the first modificationkeys are randomly generated, and wherein the first fixed keys arerandomly selected from a memory; encrypting the first modification keysbased on second message segment keys, wherein the second message segmentkeys are generated from second modification keys and second fixed keys,wherein the second modification keys have predetermined values known toboth the transmitter and a receiver; transmitting the encrypted data,the encrypted data keys, and the encrypted first modification keys tothe receiver; transmitting memory addresses for the first fixed keys tothe receiver; encrypting the memory addresses by use of third fixed keyshaving predetermined values known to both the transmitter and receiver;and, transmitting the encrypted memory addresses to the receiver.
 8. Theencryption method of claim 7 wherein the second fixed keys are randomlyselected from a memory.
 9. A decryption method performed by a receivercomprising: receiving encrypted first modification keys, encrypted datakeys, and encrypted data from a transmitter, wherein the firstmodification keys are keys randomly generated by the transmitter;decrypting the encrypted first modification keys based on first messagesegment keys, wherein the first message segment keys are generated fromsecond modification keys and first fixed keys, wherein the secondmodification keys have predetermined values known to both thetransmitter and the receiver; decrypting the encrypted data keys basedon second message segments keys, wherein the second message segment keysare generated from the decrypted first modification keys and secondfixed keys, wherein the second fixed keys are read from a memory basedon randomly generated addresses received from the transmitter; and,decrypting the encrypted data by use of the decrypted data keys.
 10. Thedecryption method of claim 9 wherein the first fixed keys are read froma memory based on randomly generated addresses received from thetransmitter.
 11. The decryption method of claim 9 wherein the encrypteddata keys comprise data keys that are randomly generated and encryptedby the transmitter.
 12. The decryption method of claim 9 wherein thesecond fixed keys are different than the first fixed keys.
 13. Thedecryption method of claim 9 wherein the second message segment keys aregenerated from the decrypted first modification keys and the secondfixed keys in accordance with a logic function.
 14. A decryption methodperformed by a receiver comprising: receiving encrypted firstmodification keys, encrypted data keys, and encrypted data from atransmitter, wherein the first modification keys are keys randomlygenerated by the transmitter; decrypting the encrypted firstmodification keys based on first message segment keys, wherein the firstmessage segment keys are generated from second modification keys andfirst fixed keys, wherein the second modification keys havepredetermined values known to both the transmitter and the receiver;decrypting the encrypted data keys based on second message segmentskeys, wherein the second message segment keys are generated from thedecrypted first modification keys and second fixed keys, wherein thesecond fixed keys are read from a memory based on randomly generatedaddresses received from the transmitter; and, decrypting the encrypteddata by use of the decrypted data keys; wherein the receiving ofencrypted first modification keys, encrypted data keys, and encrypteddata from a transmitter comprises receiving the memory addresses fromthe transmitter, wherein the received memory addresses are encrypted,and wherein the decryption method further comprises decrypting theencrypted memory addresses by use of third fixed keys havingpredetermined values known to both the transmitter and receiver.
 15. Thedecryption method of claim 14 wherein the first fixed keys are read froma memory based on randomly generated addresses received from thetransmitter.
 16. An encryption system of a transmitter comprising: afirst encryption engine that encrypts data by use of data keys; a secondencryption engine that encrypts the data keys based on first messagesegment keys, wherein the first message segment keys are generated fromfirst modification keys and first fixed keys, wherein the firstmodification keys are randomly generated, wherein the first fixed keysare randomly selected from a memory, wherein the second encryptionengine also encrypts the first modification keys based on second messagesegment keys, wherein the second message segment keys are generated fromsecond modification keys and second fixed keys, wherein the secondmodification keys have predetermined values known to both thetransmitter and a receiver; and, a transmitter that transmits theencrypted data, the encrypted data keys, and the encrypted firstmodification keys to the receiver.
 17. The encryption system of claim 16wherein the second fixed keys are randomly selected from a memory. 18.The encryption system of claim 16 further comprising a memory thatstores the first fixed keys, wherein the transmitter transmits memoryaddresses of the memory for the first fixed keys to the receiver. 19.The encryption system of claim 18 wherein the second encryption engineencrypts the memory addresses by use of third fixed keys havingpredetermined values known to both the transmitter and receiver, andwherein the transmitter transmits the encrypted memory addresses to thereceiver.
 20. The encryption system of claim 19 wherein the second fixedkeys are randomly selected from a memory.
 21. The encryption system ofclaim 16 wherein the data keys comprises randomly generated data keys.22. The encryption system of claim 16 wherein the second fixed keys aredifferent than the first fixed keys.
 23. The encryption system of claim16 wherein the first message segment keys are generated from the firstmodification keys and the first fixed keys in accordance with a logicfunction.
 24. A decryption system of a receiver, wherein the receiverreceives encrypted first modification keys, encrypted data keys, andencrypted data from a transmitter, wherein the first modification keysare keys randomly generated by the transmitter, and wherein thedecryption system comprises: a first decryption engine that decrypts theencrypted first modification keys based on first message segment keys,wherein the first message segment keys are generated from secondmodification keys and first fixed keys, wherein the second modificationkeys have predetermined values known to both the transmitter and thereceiver, wherein the first decryption engine also decrypts theencrypted data keys based on second message segments keys, wherein thesecond message segment keys are generated from the decrypted firstmodification keys and second fixed keys, and wherein the second fixedkeys are read from a memory based on randomly generated addressesreceived from the transmitter; and, a second decryption engine thatdecrypts the encrypted data by use of the decrypted data keys.
 25. Thedecryption system of claim 24 wherein the first fixed keys are read froma memory based on randomly generated addresses received from thetransmitter.
 26. The decryption system of claim 24 wherein thedecryption system receives the memory addresses from the transmitter,wherein the received memory addresses are encrypted, and wherein thefirst decryption engine decrypts the encrypted memory addresses by useof third fixed keys having predetermined values known to both thetransmitter and receiver.
 27. The decryption system of claim 26 whereinthe first fixed keys are read from a memory based on randomly generatedaddresses received from the transmitter.
 28. The decryption method ofclaim 24 wherein the encrypted data keys comprise data keys that arerandomly generated and encrypted by the transmitter.
 29. The decryptionmethod of claim 24 wherein the second fixed keys are different than thefirst fixed keys.
 30. The decryption system of claim 24 wherein thesecond message segment keys are generated from the decrypted firstmodification keys and the second fixed keys in accordance with a logicfunction.